Link to home
Create AccountLog in
Avatar of lodcomm
lodcomm

asked on

PIX-to-PIX: How to redirect incoming traffic over VPN

Greetings security professionals.

I have two locations, A and B.
There is a PIX515E (OS 7.1) at each location.
They are linked by a working VPN tunnel.
A's inside address space is 192.168.1.0/24
B's inside address space is 10.0.32.0/24

A has a /24 external (globally routable) address space.
I want to be able to take one of those external addresses on the A-side PIX515E and NAT/"redirect" it over the VPN tunnel to one of B's inside addresses.

For example: 199.120.223.130 -> 10.0.32.251

199.120.223.130 is an external address on A-side.
10.0.32.251 is an inside address on B-side.

I've tried various attempts over the last two days without success. Is this even possible? Any help greatly appreciated.
My current working config is pasted below (routable addresses obscured).

corey





: Saved
:
PIX Version 7.1(2)
!
hostname pix
domain-name corey.com
enable password * encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 198.145.250.2 255.255.255.252
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif    
 no security-level
 no ip address
!
passwd * encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name corey.com
same-security-traffic permit intra-interface
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 106 extended permit ip 192.168.1.0 255.255.255.0 10.0.32.0 255.255.255.0
access-list 107 extended permit ip any 10.0.32.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 107
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 199.120.223.129 192.168.1.5 netmask 255.255.255.255
static (inside,outside) 199.120.223.130 10.0.32.251 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 198.145.250.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.7 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map map1 10 match address 106
crypto map map1 10 set peer 79.64.25.118
crypto map map1 10 set transform-set myset
crypto map map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 79.64.25.118 type ipsec-l2l
tunnel-group 79.64.25.118 general-attributes
tunnel-group 79.64.25.118 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 60
console timeout 0
Cryptochecksum:1575c605c799d09351813140d875e3c5
: end
Avatar of rsivanandan
rsivanandan
Flag of India image

I'm not sure if this is even do-able but I've not worked on 7.0 yet. But just curious, why do you want to do it ? I mean on the other side (B Side) pix, don't you have a public address and redirect it there through a static statement ?

I mean or else you could even do a port redirection, in case if you don't have a static sparable address at B side.

Cheers,
Rajesh
Avatar of lodcomm
lodcomm

ASKER


The reason I want to do this is simple. I need to temporarily redirect all IP traffic from one physical location to another, and it cannot be done with DNS changes.

ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
lrmoore, are you sure about not with 7.x
In 7.x they allow for intra-interface traffic.  I haven't tried it on 7.x, but will for the hell of it to check.  6.x won't though.  However, wouldn't a downfall of the needed configuration(since you are trying to use "any") be that all traffic from either the B network or that host on B have to be routed through the VPN to the A network and then out?

Until 7.x, traffic in PIXs were not allowed to travel between interfaces of the same security level (which of course included going in and out the same interface).  However, I have to agree with lrmoore on this one, its either not feasible or possible.

What I would try is do a static to a host on A, then have that host do a translation to the host on B and forward that packet on so that the host on B thinks the request came from the host on A.  How you'd do that could be difficult depending upon the A host you use.  This way the site-to-site VPN config doesn't need any changing and everything should route fine, provided the A host is properly configured to mangle the IP packet to source nat the packet to itself.

Or am I just wishful thinking that this would work?
Avatar of lodcomm

ASKER

lrmoore, Cyclops3590  --

Thanks for your comments.

corey